Multi-user vehicle access control

ABSTRACT

A system and method for permitting different authorized degrees of access to two or more users of a vehicle in a fleet of vehicles. Each user has a radio (RF) transponder coupled to an ignition key that operates the ignition switch of the vehicle. The transponder stores data indicating the degree of operating access authorized to each user for the vehicle.

[0001] This divisional application claims priority under 35 U.S.C. 120 from co-pending U.S. patent application Ser. No. 09/752,009, which was filed Dec. 28, 2000 by M. Arshad et al., the full disclosure of which is hereby incorporated by reference.

BACKGROUND OF THE INVENTION

[0002] Fleets of vehicles, such as taxis, rental cars, construction and agricultural work vehicles are often used by many individuals. Since these vehicles are typically designed for single operators, they have traditionally been configured to either permit or deny access and allow operational control based upon the use of a single access and ignition key. Anyone with the access and ignition key can access the vehicle simply by using the key to unlock the access door and can then operate the vehicle by using the key in the ignition mechanism.

[0003] In recent years, various accessory systems for cars and other vehicles have been devised, such as AM/FM radios, tape players, CD players, electronic maps and the like. These systems have typically been connected to the vehicle by tapping into the electrical power system. To reduce the risk of theft, many of these systems have been protected by passwords or special electrical keys that only allow access to those devices based on the knowledge of a special password or code, or the operation of a special radio transmitter.

[0004] Other systems such as radio controlled car locks, remote car starters and anti-theft systems have also been developed that permit owners or operators of the vehicles to control access to their vehicles. Radio transmitters in small key fobs have one or more functional buttons that communicate with a radio receiver on the vehicle. When a specific button is pressed, a wide variety of functions, such as unlocking or locking doors, beeping a horn, turning on the engine or the like are performed.

[0005] A unique situation exists when vehicles are used in fleets. Fleet vehicles, such as delivery trucks, taxis, rental cars and agricultural and construction work vehicles, may be operated by several individuals. Each of the operators may be authorized to use only certain aspects or functions of the vehicle. A driver of a delivery vehicle for one particular route may only be authorized to operate the vehicle on his route. A different driver operating the same vehicle may only be authorized to operate the same vehicle on a different route.

[0006] Similarly, a consumer renting a car may be authorized to drive the rental car for only a predetermined distance under the terms of his rental agreement. After the predetermined number of miles has elapsed, he may not be authorized to operate the car further. Another driver may be authorized to use the rental car without restriction. One operator of a loader/backhoe may be authorized to drive the vehicle on a road because he has the proper driver's license for that vehicle, whereas another operator of the loader/backhoe may be permitted only to operate the backhoe once the vehicle has stopped because he may not be properly licensed or insured.

[0007] The communication and control devices currently used with vehicles in a fleet do not allow the operation of a fleet vehicle to be parsed or authorized on such a case-by-case basis. When a rental car is rented, for example, the operator is usually given an ignition key and an integral radio transmitter key fob. The vehicle does not “know” one user from another, since the key fob and ignition key and any duplicates are useable by anyone to unlock the doors and to start the car. Different users with duplicate keys and fobs have the identical control access to the vehicle. Thus, the rental car responds in an identical manner to the original ignition key and key fob or any duplicate. However, if the ignition key and key fob of one vehicle is accidentally exchanged for the ignition key and key fob of another vehicle, most likely neither vehicle can be operated.

[0008] A better system is needed to manage access to vehicles used in fleets. For fleet management, it would be beneficial to authorize different degrees of vehicle access for different users, all of whom can use the same vehicle. It would also be beneficial if each vehicle could be configured to provide each operator with different control access than the access provided to another operator. It would also be beneficial for each user to have a single key or access means that provides different authorized access in different degrees to different vehicles in the fleet.

[0009] It is therefore an object of the present invention to provide a system that provides different authorized degrees of access to a plurality of users for individual vehicles in a fleet.

SUMMARY OF THE INVENTION

[0010] In accordance with a first embodiment of the invention, a method for permitting different authorized degrees of access to a plurality of users of a vehicle is provided in which each of the users has a radio transponder coupled to an operating key for operating the vehicle. The radio transponder stores data indicative of each user's authorized degree of access of the vehicle. The authorized degrees of access is different for each of the plurality of users. The method includes transmitting first data indicative of a first authorized degree of access to a vehicle control system on the vehicle from a first transponder coupled to the first operating key. The first transmitted data is compared with data stored in the vehicle control system to determine the first authorized degree of access and to provide the first user with the first authorized degrees of access. The first operating key is then used to operate the vehicle. At another time, second data indicative of a second authorized degree of access is transmitted to the vehicle control system from a second transponder coupled to the second operating key of the vehicle. The second transmitted data is compared with data stored in the vehicle control system to determine the second authorized degree of access and permit the second user to operate the same vehicle with the second authorized degree of access. The first authorized degree of access and the second authorized degrees of access are different, but are configured simultaneously by the control system.

[0011] The first and second authorized degree of access may differ by at least one of the following characteristics: the allowed times and dates of operation, the hours during the day when the vehicle may be operated, the dates on which the vehicle may be operated, the total time of authorized operation, and the subsystems of the vehicle that the operator is authorized to operate. The method may also include controlling access to one or more of the following subsystems: an engine subsystem, an engine fuel subsystem, an engine starting subsystem and an auxiliary hydraulic subsystem. An auxiliary hydraulic controller controls the flow of hydraulic fluid in the auxiliary hydraulic system. The user or operator is authorized operational access to the hydraulic system based on data in the first or second transponders. Data indicative of the first and the second authorized degree of access may include conditional limitations that may prevent use of the vehicle if the Limitations are exceeded. The conditional limitations may be communicated or downloaded from the transponder and may include data indicative of one or more of the following: the number of hours of authorized use, the total distance of authorized travel, the maximum speed of authorized operation, the maximum load on the engine and the geographical area in which the vehicle is authorized to operate.

[0012] In accordance with the second embodiment of the invention, a system for permitting different authorized degrees of access to a plurality of users of a vehicle is provided that includes a first radio transponder storing data indicative of a first authorized degree of access to the vehicle. A second radio transponder is provided and also stores data indicative of a second authorized degree of access to the vehicle. The first authorized degree of access is different than the second authorized degree of access. An electronic control system is mounted on the vehicle and is configured to provide different authorized degrees of control access to the vehicle for the first and second users based on the data indicative of the first and second authorized degrees of access stored in the first and second transponders.

[0013] The system may also include an operating switch and first and second operating keys configured to operate the operating switch wherein the first and second operating keys are respectively coupled to the first and second transponders. The electronic control system includes a radio transmitter configured to energize the first transponder when the first operating key is adjacent to or proximate the operating switch, and to energize the second transponder when the second operating key is adjacent to or proximate the operating switch. The electronic control system may enable vehicular subsystems in response to data received from the first transponder differently than the system enables vehicular subsystems in response to data received from the second transponder. The data received from the first transponder and the data received from the second transponder both may include data indicative of at least one of the following: a authorized geographical area of operation, allowed times and dates of operation such as the specific hours during the day the vehicle may be operated or the specific dates on which it may be operated, the total time of authorized operation, and the vehicular subsystems that a vehicle operator is allowed to use. The vehicular subsystems may further include at least one of the following: an engine subsystem, an engine fuel subsystem, and an engine starting subsystem.

BRIEF DESCRIPTION OF THE DRAWINGS

[0014]FIG. 1 illustrates the overall system, including a vehicle with a control system that is configured to communicate with a radio transponder.

[0015]FIG. 2 is a detailed view of the transponder showing the microcontroller, digital memory and the antenna.

[0016]FIG. 3 is a detailed view of the vehicle's control system showing the plurality of vehicle subsystems or components and their interconnections, including the reader circuit in the vehicle that communicates with the transponder.

[0017]FIG. 4 illustrates an exemplary controller of those shown in FIG. 3.

[0018] The invention will become more fully understood from the following detailed description when taken in conjunction with the accompanying drawings. Like reference numerals refer to like parts.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0019] Referring to FIG. 1, a vehicle 10 has a control system 12 that includes a reader circuit 14. This reader circuit generates an electromagnetic field 16 into the operator's station 18 of the vehicle and preferably in the local vicinity of the station. This electromagnetic field impinges on a radio (RF) transponder 20 that is carried by the operator to the vehicle. When the operator is adjacent to or proximate or in the vehicle, the electromagnetic field is sufficiently strong that it can energize transponder 20. In response to being energized, the transponder transmits data over radio waves to the reader circuit which reads the data. The control system 12 takes predetermined actions based upon the data transmitted from the transponder 20.

[0020] The transponder may be provided in one of several preferred forms. Transponder 20 may be in the form of a key fob, preferably molded into a plastic case 22 impervious to moisture (under typical operating conditions). Case 22 is mechanically coupled to an ignition key 24 by strap 23. Key 24 is configured to fit into and turn ignition switch 26 of the vehicle. In this arrangement the ignition key permits the operator to start the vehicle engine. Transponder 20 is accessed by the vehicle to determine what vehicle functions, operations, systems or sub-systems the operator is authorized or not authorized to use.

[0021] Transponder 20 may alternatively be molded into a thin credit card-sized sheath 25. Again, it is preferably impervious to moisture under ordinary operating conditions. In this form, transponder 20 is not mechanically coupled to a key, and is therefore easily carried in the operator's wallet, shirt pocket or pants pocket.

[0022] Transponder 20 may alternatively be molded into the plastic handgrip 26 of an ignition key 28.

[0023] Referring now to FIG. 2, the transponder 20 includes a microcontroller 30 in an integrated circuit package, an antenna 32 and a resonance capacitor 34 in series. A charge capacitor 36 is coupled to package and functions as a power source. The transponder is preferably one of Texas Instruments RFID products, more preferably one of their Multipage Transponders (MPT), Selective Addressable Multipage Transponders (SAMPT), or Selective Addressable Multipage Transponders (Secure) (SAMPTS). Other's that are acceptable include Microchip's, Motorola's, or Temic's transponders. These microcontrollers are programmed to provide individual and selectable read (and read-write) access to their internal digital memory. Their internal memory space preferably contains 80 or more bits of stored information. The memory is preferably arranged in separately addressable pages of memory.

[0024] To energize the transponder, it is placed in an oscillating electromagnetic field 16 generated by the reader circuit 14 (FIG. 1). This field oscillates at the resonant frequency of the antenna 32 and resonance capacitor 34, causing an oscillating current to build up between these two components. This oscillating current charges capacitor 36. The charge saved in capacitor 36 is then used to power microcontroller 30.

[0025] Once microcontroller 30 is powered, it filters the signal that is generated in the antenna and resonance capacitor and extracts superimposed data carried by the electromagnetic field. Based on preprogrammed instructions that it contains in an integral read-only memory, microcontroller 30 responds to the received data, which includes read (and preferably write) instructions. If the received instructions are read instructions, microcontroller 30 selects a particular data item from its internal memory to be transmitted to the vehicle, and transmits this data via antenna 32. Reader circuit 14 receives the information transmitted by the transponder, and processes it accordingly. If the instructions are write instructions, microcontroller 30 receives data from the vehicle via field 16 and stores this data in its internal memory.

[0026] In a first embodiment, the data stored in the memory of microcontroller 30 may include numeric or digital values that are remotely downloaded into the transponder and are indicative of (1) a total distance which the vehicle is authorized to travel for that operator, (2) a geographical area in which the vehicle may only be operated, (3) the allowed times and dates of operation, such as (i) the specific hours during the day when the vehicle may be operated or (ii) the specific dates on which it may be operated, (4) the total time of vehicle operation that is authorized, and (5) the subsystems that the operator is allowed or authorized to use.

[0027] In a second embodiment, the data stored in microcontroller 30 of the transponder may also include data downloaded from the vehicle itself, such as (1) the distance traveled by the vehicle, (2) the date and times of specific events, such as the time the vehicle was started and the time the vehicle was stopped, (3) time-triggered elapse records, such as service reminders, and a vehicle rental period expiring, (4) vehicle conditions, such as a threshold or maximum engine load experienced by the vehicle during operation or a current odometer reading, (5) fault or error conditions experienced during operation, such as low fuel conditions, low oil or oil pressure conditions, engine coolant over-temperature, engine electrical output too low or too high, and (6) the amount of consumables remaining in vehicle, such as the fuel level, coolant degree, oil degree, and hydraulic fluid degree.

[0028]FIG. 3 shows vehicle control system 12 of FIG. 1 in more detail. Control system 12 includes a vehicle status and monitoring controller 38 that is coupled to reader circuit 14 over an RS485 telecommunications link 42. System 12 also includes several other microprocessor-based controllers that are coupled together with monitoring controller 38 by vehicle serial bus 44. These controllers include an engine controller 46, a transmission controller 48, an auxiliary controller 50, and a user I/O controller 52.

[0029] Monitoring controller 38 is coupled to a satellite navigation receiver 56 that is configured to receive radio transmissions from satellites and to convert them into data indicative of the vehicle's current location such as latitude and longitude. Controller 38 is also coupled to reader circuit 14 that communicates with transponder 20.

[0030] Reader circuit 14 includes a radio frequency module, such as Texas Instruments' RI-RFM-007B and a control module such as Texas Instruments' RI-CTL-MB6A. The control module is the interface between the radio frequency module and controller 38. The control module controls the transmitting and receiving functions of the radio frequency module according to commands sent over the serial connection from controller 38 to the control module. The control module decodes the received RF signals, checks their validity and handles their conversion to a standard serial interface protocol, which in the preferred embodiment, includes an RS-485 interface. Hence the RS 485 serial communication link 42 between reader circuit 14 and controller 38.

[0031] Controller 38 directs reader circuit 14 by issuing several commands over the RS-485 connection to the control module. These commands include a query command to query for any transponder in range, and a specific query command to query for a specific transponder by its embedded identification number. While it is possible for all the vehicle and operator information in transponder 20 to be transmitted as one long string of bits, it is more efficient and fast to arrange such data into a series of “pages” in transponder 20, pages that can be individually retrieved by controller 38 on a page-by-page basis. In this manner, controller 38 need not wait until the entire contents of transponder 20 are downloaded to reader circuit 14 and hence to controller 38, but can selectively request specific items of information that are specific to the particular task that controller 38 is attempting to perform.

[0032] This specific query command causes reader circuit 14 to generate and transmit radio signals through antenna 58 into the surrounding environment of the operator's station and near proximity to the operator's station. If any transponder is close enough to be energized by the electromagnetic field 16 generated by antenna 58, it is energized and internally checks to see if it has the identification number broadcast by antenna 58. If so, it responds with an affirmative message, and thereby establishes a communication session with controller 38.

[0033] On the other hand, if a general query is transmitted, all transponders in the vicinity (i.e. close enough to be energized) will respond to the transmission with a response that includes their identification number. The transponders are a part of a system wherein each operator has his own transponder and is preferably uniquely identified by their transponders. Hence, each transponder in the fleet management system preferably has a different identification number stored in its memory in microcontroller 30, and thus can uniquely identify the person carrying the transponder. By using the general query, reader circuit 14 can single out and identify any transponder within range. It can subsequently single out and communicate with each transponder in range by transmitting successive specific queries that successively identify each of the transponders in the vicinity.

[0034] Once the reader circuit 14 establishes the existence of a particular transponder or transponders within the range of its antenna 58, it then continues the communications session by sending a request to the transponder to download information from the memory of microprocessor 30 to the reader circuit and thence to controller 38 for processing. Transponders currently commercially available have a limited amount of memory that can be written to or read from. As transponders develop, more and more memory space in transponders will be available for storage and retrieval. As a result, it may take a significant period of time to transmit all the operator information from the transponder to the vehicle when the operator approaches the vehicle to start it. As a result, the operator may wait for a significant period of time for the initial communication session to complete and controller 38 to permit the vehicle to be operated.

[0035] To speed up this initial communication between the transponder and the vehicle, reader circuit 14 can continuously and periodically transmit general or specific queries. In this manner, as a potential operator with a transponder approaches the vehicle or enters the vehicle's cabin or operator's station, the initial communication between the transponder and the vehicle can commence automatically without special operator intervention to initiate it. Once the operator is within range, the transponder will be automatically energized by field 16, and will transmit the information requested by the vehicle even before the operator has situated himself in the operator's seat and attempts to start the vehicle's engine.

[0036] By the time the operator indicates that he wishes to start the vehicle, such as by operating the ignition switch 26 with a key, or pressing an “engine start” or other similar button on the vehicle, the initial communication between the operator's transponder and the vehicle's control system will have provided the control system with the information it needs to determine whether or not the operator is authorized to operate the vehicle. There will be no significant delay between the time the operator starts the engine and the vehicle gets underway.

[0037] There are drawbacks to this automatic and periodic querying in the vicinity of the vehicle, however. It can cause the vehicle's battery to drain. If the electromagnetic field extends outside the vehicle, the transponder of someone passing nearby the vehicle can be inadvertently energized, and the vehicle would then mistakenly gather information and prepare for vehicle operation. Someone could sit in the vehicle briefly, inadvertently establish communication with the vehicle control system due to its automatic querying, then depart after the vehicle gathered data from that person's transponder and assumed that person was going to operate the vehicle. A second person might then sit in the vehicle and operate it. This would be especially problematic if there were no special device, such as a key, required for operation.

[0038] To reduce the risk of a stray passing transponder initializing the vehicle, the transponder 20 and the antenna 58 of reader circuit 14 are preferably configured such that the transponder must actually be inside the vehicle before the electromagnetic field is sufficient to energize the transponder. Alternatively, they are configured such that the transponder is energized even when outside the vehicle, but the radio signal transmitted by the transponder is not sufficiently strong (from outside the vehicle) to return to the circuit 14. In either case, a passing transponder will not inadvertently establish communication with reader circuit 14.

[0039] In a further alternative embodiment, monitoring controller 38 can be configured to wait until someone engages a switch on the vehicle (preferably, but not necessarily ignition switch 26) before it signals reader circuit 14 to generate the electromagnetic field that energizes the transponders and subsequently to query the transponder (or transponders, as the case may be) in the vicinity of reader 14. By waiting until the operator engages a switch or other user interface before generating the electromagnetic field in response to an affirmative action by the operator, vehicle battery life is substantially extended.

[0040] In the event ignition switch 26 is used, the switch will be authorized to start the vehicle in a typical fashion, but any additional functions will not be enabled until controller 38 has received the data stored in transponder 20 and determined whether the operator is authorized to operate specific vehicle systems. During this process, controller 38 will not authorize the transmission controller to engage the transmission in a gear ratio. Once the data has been received by reader circuit 14, it is formatted and transmitted to controller 38 for processing.

[0041] Monitoring controller 38 also communicates with the other controllers by transmitting packets of data on the communications bus 44 extending between the various controllers on the vehicle. These packets of data may be broadcast to all the controllers with a header indicating the contents of the packet, or they may be transmitted to individual controllers with a header including a controller address identifying the controller to which they are addressed, as well as information indicating the contents of the data in the packet. Any of the data items received from transponder 20 can be transmitted in this manner.

[0042] Controller 38 receives packets of data indicative of vehicle status and events that are transmitted by the other controllers on the CAN bus such as the engine RPM, engine load, engine throttle position, the distance traveled, elapsed time since last oil change, the oil change intervals, the engine oil temperature, the engine coolant temperature, the engine oil level, the elapsed hours of engine operation, error conditions experienced by any of the controllers, the vehicle's geographical location, as well as any operator requests to operate specific subsystems or subcomponents of the vehicle.

[0043] Controller 38 periodically compares the data it has received from the other controllers and from its own sensors (the receiver 58) with the transponder data it received from the transponder to determine whether the operator has attempted to exceed any of the operational limits that were indicated by the transponder data. For example, if the engine may be operated for only a predetermined number of hours, controller 38 compares the elapsed engine hour data received from the engine controller with the authorized hours received from the transponder and performs one or more predetermined functions based upon the result of that comparison.

[0044] If these limits are exceeded, and depending upon the priority of the particular transponder limits, controller 38 will transmit a packet that shuts down a particular vehicle subsystem. For example, by directing the engine controller 46 to shut down the fuel pump, the ignition system, or to limit the speed of the vehicle or the engine. At substantially the same time, controller 38 will preferably transmit a packet to I/O controller 52 commanding it to display a message indicating what limit has been exceeded.

[0045] In other cases, especially if the priority of the limits is lower, controller 38 may only send a packet to the I/O controller 52 telling it to display a message indicating that a particular limit has been exceeded, but not sending a packet to engine controller 46 directing it to shut down any or all of the sub-systems it controls. For example, if the vehicle is a rental car and it is traveling down the highway at 60 miles per hour, common sense would dictate that the engine couldn't be stopped immediately. Hence, exceeding a authorized distance of travel or authorized zone of travel while the vehicle is moving at a predetermined speed or greater would be a low priority message and controller 38 would not shut the engine sub-systems down. On the other hand, if the operator is only authorized to use the car's radio for 10 miles, the radio could be shut down immediately without causing problems (a high priority message).

[0046] Engine controller 46 is coupled to the vehicle's engine 60 which it monitors and controls. Engine 60 may be a spark ignition or a diesel engine. The engine controller 46 controls the engine by sending a signal to the engine's governor 62 that typically indicates a commanded fuel flow rate or power output. The governor, in response to this signal, varies the rack position of the fuel injector system (i.e. a mechanical system), or transmits an electronic signal to each of the fuel injectors (if an electrical injector system). Alternatively, it may open or close a combustion air valve or “throttle valve” that regulates the flow of air to each combustion chamber of the engine. The governor, if electronic, transmits a signal back to engine controller 46 that is indicative of the speed of the engine. As an alternative, a separate engine speed sensor 64 can be provided, such as a shaft speed sensor or a sensor that monitors the fluctuations in electricity coming out of the engine's alternator. The frequency of these fluctuations are proportional to the speed of the engine.

[0047] Engine controller 46 is also coupled to several sensors 66 that are themselves coupled to the engine to generate signals indicative of oil pressure (oil pressure sensor), oil temperature (oil temperature sensor), coolant water temperature (coolant temperature sensor), engine speed (sensor 64) and engine load.

[0048] Engine controller 46 is also coupled to fuel pump 68 to either enable or disable the fuel pump by connecting or disconnecting power to the pump. The fuel pump itself uses mechanical or electrical feedback to automatically maintain the desired fuel pressure of the fuel provided to the engine.

[0049] Engine controller 46 is also coupled to ignition system 70 of the engine (in the case of spark ignition engines) to either energize or de-energize the ignition under computer control. In addition, engine controller 46 is coupled to the engine starting motor 71 to turn the starting motor on or off under computer control.

[0050] The engine controller is therefore configured to monitor various conditions of the engine, as well as directly control the operation of the engine by selectively enabling or disabling engine subsystems such as ignition, fuel, and starting.

[0051] Auxiliary controller 50 controls the operation of various hydraulically powered subsystems of the vehicle. Engine 60 drives a hydraulic fluid pump 72 that provides a source of pressurized hydraulic fluid. This fluid is controlled and directed by auxiliary controller 50. Auxiliary controller 50 is coupled to and drives several auxiliary hydraulic valves 74 (AUX_(l) . . . AUX_(n)). These valves are typically on-off valves or pulse-width modulated proportional control valves that regulate the flow of hydraulic fluid. If vehicle 10 is a backhoe or has a backhoe attachment, for example, controller 50 and valves 74 control the flow of fluid to a boom swing cylinder, a boom lift cylinder, a dipper cylinder and a bucket cylinder, which are each coupled to and controlled by at least one auxiliary valve 74. Thus, one or more auxiliary valves are provided to control the flow of hydraulic fluid to or from various hydraulically driven implements. If the vehicle is a dump truck, for example, controller 50 controls the flow of fluid to and from the cylinders that lift the box of the truck to dump it. If the vehicle is a loader, loader/backhoe, bulldozer, or skid steer loader, for example, auxiliary controller 50 regulates the flow of fluid to and from the lift arm cylinders and bucket cylinders (as the case may be) that raises, lower, and tilt the bucket. The operator can be authorized (or denied) to operate any or all of these subsystems by data in the transponder.

[0052] Transmission controller 48 controls the shifting of the vehicle's transmission 76. Controller 48 is coupled to and drives several clutch control valves 78 (CV₁ . . . CV_(n) in FIG. 3) that in turn control the flow of hydraulic fluid to and from hydraulic clutches in the transmission. These valves, depending upon the type of clutches employed, may be on-off valves or proportional control valves.

[0053] Controller 48 is also configured to select the particular clutches necessary to engage the transmission in a particular gear ratio and sequentially energizes the clutch control valves 78 such that appropriate gears and shafts are engaged. The transmission is preferably a powershift transmission in which most, if not all, of the gear ratios of the transmission are selectable by filling one or more hydraulic clutches coupled to valves 78.

[0054] Input/output controller 52 drives and responds to operator interface devices including keyboard 80, display 82, audio annunciator 84, and key switch 26. In addition, one or more control levers 88 are provided for operating the auxiliary valves controlled by controller 50.

[0055] It is through these input devices that the operator communicates with the vehicle. The keyboard may be arranged as a closely spaced array of buttons, or the buttons may be spread out around the operator's station to make them easier to operate.

[0056] Display 82 is preferably a liquid crystal display, an electroluminescent display or the like having a region for displaying alphanumeric messages. This region is configured to display a plurality of different messages indicating the data stored in transponder 20 as well as information regarding the status of the vehicle, such as alarm conditions including (1) engine coolant water temperature too high, (2) engine coolant level too low, (3) engine lubricating oil temperature too high, (4) engine lubricating oil pressure too low, (5) hydraulic fluid pressure too low, or (6) hydraulic fluid temperature too high. Display 82 is preferably a multi-line display.

[0057] In addition, display 82 is configured to display the status of the vehicle based upon data retrieved from the transponder. For example, if the operator is not authorized to operate a particular subsystem of the vehicle as indicated by the data downloaded to controller 38 from transponder 20, display 82 is configured to display these limitations on display 82 at substantially the same time that the operator starts the vehicle. Some of the data downloaded from the transponder to controller 38 indicates limits on use of the vehicle such as the number of hours of authorized use, the total distance of authorized travel, the maximum speed of authorized operation, the maximum load on the engine and the geographical area in which the vehicle is authorized to operate. These are conditional limitations, since they may never prevent use of the vehicle unless they are exceeded. For this reason, display 82 is also configured to display messages as these limits are approached.

[0058] If the vehicle approaches its geographical limits of operation as determined by the controller 38, for example, display 82 is programmed to display an alphanumeric message indicating this impending condition with a notice such as “This vehicle cannot be used outside of Michigan.”

[0059] When the operator approaches the maximum number of hours or miles of operation as determined by controller 38, display 82 is configured to display an alphanumeric message indicating this impeding condition, by displaying a message such as “Only 15 minutes left to operate the vehicle” or “Only fifteen miles left to operate the vehicle”. Similar messages are displayed when the vehicle approaches its maximum authorized speed and maximum authorized load as indicated by data downloaded from the transponder.

[0060] Other data downloaded from transponder 20 may indicate other limits on operation, such as the operator not being authorized to operate specific sub-systems of the vehicle, such as (1) the various hydraulically actuated devices (e.g., front loader, backhoe, dozer blade, fork lift, or road grader blade hydraulic actuators) that are attached to or an integral part of the vehicle, or (2) to gain physical access to parts of the vehicle, such as by preventing the glove compartment latch, engine compartment latch, gas tank cover latch or trunk latch from being operated, which would thereby permit access to these compartments, or (3) preventing various accessories from being operated, such as a radio, vehicle heater, air conditioner, tape or CD player, navigation computer, or TV.

[0061] In the case of these various devices and subsystems that may be impermissible to use, display 82 is configured to generate an alert message at substantially the same time that the operator attempts to use them by displaying an appropriate message preferably indicating both (1) that use is not authorized, and (2) the device the operator attempted to operate.

[0062] This message could be displayed symbolically. For example, if the transponder indicated that the backhoe was not authorized to be used, it could display a device symbol in the shape of the backhoe (the device) with the international “not authorized” symbol of a red circle with a diagonal line through it superimposed on top of the device symbol when the operator moved levers 88 attempt to move the backhoe by operating valves 74. Alternatively, this message could be displayed in words. For example: “The backhoe may not be used”.

[0063] Input/output controller 52 is also configured to energize audio alarm 84 substantially simultaneously with the appearance of a message to draw the operator's attention away from the device he is attempting (and not authorized) to operate and to the appropriate message on display 82.

[0064] All the controllers on bus 44 are in constant communication with each other while the vehicle is operated. As the transmission controller changes gear ratios and shifts the transmission, it packetizes information indicating the gear ratio or occurrence of a shift and places it on the bus for the other controllers to use.

[0065] As the engine controller controls the operation of the engine, it packetizes information relating to the engine and places that information on the bus for the other controllers to use. This information includes such data as the engine speed, values indicative of the various engine oil and water temperatures and pressures provided by the sensors, and the total elapsed hours of engine operation discussed above.

[0066] As the auxiliary controller 50 operates the various hydraulic valves, it packetizes information indicating which valves 74 are open and closed, and by how much they are opened and closed, and places these packets on the serial bus 44 for the other controllers to use.

[0067] As the input/output controller 52 monitors the user input devices including levers 88, keyboard 80 and ignition switch 26, it packetizes these operator requests and places the packets on the bus indicating the particular operational requests made by the operator. These include, but are not limited to, packets indicating the operator's attempts to operate the various subsystems of the vehicle that he is not authorized to operate.

[0068] The monitoring or communications controller 38 similarly packetizes the data it receives from the transponder 20 and places it on the bus 44 for the other controllers to use.

[0069] In this manner each controller 38, 46, 48, 50 and 52 is made aware of the state of the various devices and actuators controlled or monitored by the other controllers.

[0070] Just as the various controllers are configured to transmit packetized information on bus 44 for use by other controllers, they are also configured to receive packetized information transmitted from the other controllers and use this data internally for their own programmed operations.

[0071] Monitoring controller 38, for example monitors the status of information transmitted by the other controllers that is indicative of the status of the other controllers and the subsystems and components to which they are attached. For example, when the operator manipulates levers 88 to move the various hydraulic components that are controlled by auxiliary controller 50, I/O controller 52 places a packet indicative of this request on bus 44. Controller 38 this packet and compares the operator request with the data it has received from transponder 20 and determines whether the operator is authorized to operate the requested hydraulic device. If the operator is authorized access, monitoring controller 38 signals its approval by packetizing and forwarding the request to auxiliary controller 50. Alternatively, if the operator is not authorized to operate the auxiliary device (typically a hydraulic actuator or actuators controlled by valves 74), monitoring controller 38 will not forward the operator request to controller 50. Instead, controller 50 will send a packet to I/O controller 52 directing it to display a message indicating that the requested operation is not authorized. Controller 52, when. it receives this packet of information will responsively display an alert message as discussed above, and will optionally energize annunciator 84, causing it to generate a sound to get the operator's attention.

[0072] As engine controller 46 operates, it transmits packets on bus 44 indicative of the elapsed time the engine has been operated. Controller 38 receives this information, compares it with any limitation of engine operation time that it received from transponder 20 and, if the vehicle is approaching the time limit of engine operation, transmits a packetized message to I/O controller 52 directing it to display a message indicative of the approaching time limit. Controller 52 will responsively display the requested message and will preferably energize annunciator 84 causing it to generate a sound to get the operator's attention.

[0073] Controller 38 also receives the data indicative of the vehicle's current position from receiver 58, and compares it with the data indicative of the authorized geographical area of operation received from transponder 20. If the vehicle is approaching the geographical limit of operation or has exceeded it, for example, controller 38 transmits a packet to I/O controller 52 directing it to generate a corresponding message. Controller 52 responsively displays that message.

[0074] Engine controller 46 is configured to transmit packets of data indicative of elapsed engine hours, engine RPM and engine load among other data. Controller 38 receives these packets and compares this data with the data indicative of authorized engine speed and engine load that were downloaded from transponder 20. If the engine RPM or load approaches the authorized engine RPM or load, controller 38 transmits a packet to I/O controller 52 indicative of these conditions. Controller 52 responsively transmits a message to display 84 indicates this condition. In addition, controller 38 transmits packetized data to engine controller 46 directing engine controller 46 to limit the RPM and load to the approved limits indicated by the data retrieved from transponder 20. Engine controller 46 will, in response, prevent the engine from exceeding the load and RPM limit by controlling the engine governor or throttle valve to maintain the engine at or below the load or RPM limit. Alternatively, controller 38 may be configured to transmit the engine speed and load limits to engine controller 46 on startup (when controller 38 the data stored in transponder 20), and engine controller 46 can be configured to maintain these speed and load limits by itself, without input from controller 38 by periodically comparing the actual speed and load with the speed and load limits sent to it by controller 38 and automatically preventing the engine from exceeding these limits.

[0075] Referring now to FIG. 4, each controller (including controller 38) of FIG. 3, has a microprocessor 90, RAM memory 92 and ROM memory 94, as well as a dedicated communications processor 96 configured to handle all communications over bus 44 with the other controllers on the bus (FIG. 3).

[0076] Each controller also includes a sensor conditioning circuit 98 that interfaces the sensor signals (such as sensors 66, levers 88, keyboard 80, switch 26) to bus 100. Circuit 98 filters and buffers the signals to eliminate noise, and may include sample-and-hold sub-circuits as well as analog-to-digital converters for processing analog sensor signals.

[0077] In addition, each controller includes a driver circuit 102 that controls the application of power to the actuators, including, without limitation, the valves driven by the transmission and auxiliary controllers, the fuel pump, governor and ignition system driven by the engine controller, and the electronic display driven by the I/O controller. The microprocessor, RAM, ROM, and communications processor are all coupled together by control/data/address bus 100 within each controller.

[0078] The ROM memory 94 contains the programmed instructions that control the operation of the microprocessor 90 in that controller.

[0079] The RAM memory 92 is used to store working variables required by the microprocessor. A particularly preferred processor for each of the controllers is a MC68HC11, MC68HC908AZ60, MPC555, or MPC565 microprocessors by Motorola. The preferred dedicated communications processor is any of the standalone CAN processors, such as those manufactured by Microchip or Phillips. the advantage to the Motorola 68HC908AZ60, the MPC555, and the MPC 565 processors is that they include both the communications processor and the microprocessor on the same die and therefore in a single package.

[0080] Thus, each of the controllers shown in FIG. 3 is coupled to the other controllers of FIG. 3 by a serial communications bus 44. Each controller has its own internal communications bus 100 that couples the microprocessor, RAM, ROM, and dedicated communications processor of each controller. Each controller likewise controls one or more different subsystems of the vehicle and receives necessary data regarding the control of its subsystems from the other controllers.

[0081] While the embodiments illustrated in the FIGURES and described above are presently preferred, it should be understood that these embodiments are offered by way of example only. For example, the principles of the present invention may find applications in automotive, agricultural and construction vehicles. The transponder may be a self-powered radio transmitter or transmitter/receiver. The invention is not limited to a particular embodiment, but extends to various modifications that nevertheless fall within the scope of the appended claims. 

What is claimed is:
 1. A method for permitting a plurality of users of a vehicle to have different degrees of operating access to the vehicle, each of the users having an operating key for operating the vehicle and a radio transponder coupled to the operating key for storing data indicative of the authorized degree of operating access to the vehicle for each user, the method comprising: transmitting first data indicative of a first authorized degree of operating access to a vehicle control system on the vehicle from a first transponder coupled to a first operating key for the vehicle; comparing the first transmitted data with data stored in the vehicle control system to determine the first authorized degree of access and to provide a first user with the first authorized degrees of access; using the first operating key to operate the vehicle; transmitting second data indicative of a second authorized degree of operating access to the vehicle control system from a second transponder coupled to a second operating key for the vehicle; comparing the second transmitted data with data stored in the vehicle control system to determine the second authorized degree of access and to provide a second user with the second authorized degree of access; using the second operating key to operate the same vehicle at a time different than when the first operating key is being used; wherein the first authorized degree of access and the second authorized degree of access are different.
 2. The method of claim 1, wherein the first and second authorized degrees of access are different according to at least one of the following characteristics: total distance of authorized operation, geographical areas of authorized operation, specific hours during a day when the vehicle may be operated, dates or days of the week when the vehicle may be operated, total time of authorized operation, and access to subsystems of the vehicle.
 3. The method of claim 2 wherein access is permitted to a user for one or more of the following vehicle subsystems: an engine ignition subsystem, an engine fuel pump subsystem, an engine starting subsystem, and an auxiliary hydraulic subsystem.
 4. The method of claim 3, wherein an auxiliary hydraulic controller is provided to control the flow of hydraulic fluid to the auxiliary hydraulic subsystem, and wherein the user is authorized to operate the hydraulic subsystem based upon data in the user's transponder.
 5. The method of claim 1, wherein data indicative of the first and the second authorized degree of access includes conditional limits that prevent the use of the vehicle if the conditional limits are exceeded.
 6. The method of claim 5, wherein data indicative of the conditional limits are communicated from the transponder and include data indicative of one or more of the following: the total hours of authorized use, the total distance of authorized travel, the maximum speed of authorized operation, the maximum load on the engine and the geographical area in which the vehicle is authorized to operate.
 7. A system for permitting different authorized degrees of access for a plurality of users of a vehicle, comprising: a first radio transponder storing data indicative of a first authorized degree of access to the vehicle; a second radio transponder storing data indicative of a second authorized degree of access to the vehicle, wherein said first authorized degree of access is different from the second authorized degree of access; and an electronic control system mounted on the vehicle and configured to provide different authorized degrees of access to the vehicle to a first user and a second user based on the data indicative of the first and second authorized degree of access stored in the first and second transponders.
 8. The system of claim 7, further comprising an operating switch and first and second operating keys configured to operate the operating switch, wherein the first and second operating keys are coupled to the first and second transponders.
 9. The system of claim 8, wherein the electronic control system includes a radio transmitter configured to energize the first transponder when the first operating key is located proximate to the operating switch, and to energize the second transponder when the second operating key is located proximate to the operating switch.
 10. The system of claim 8, wherein the electronic control system enables access to subsystems of the vehicle in response to data received from the first transponder that is different than access to subsystems in response to data received from the second transponder.
 11. The system of claim 10, wherein the data received from the first transponder and the data received from the second transponder both include data indicative of at least one of the following: an authorized geographical area of operation, days of the week that are authorized for operation, specific hours during the day when the vehicle may be operated, specific dates on which the vehicle may be operated, the total time of authorized operation, and subsystems of the vehicle authorized for use.
 12. The system of claim 11, wherein the data received from the first and second transponders authorizes use of at least one of the following: an engine ignition subsystem, an engine fuel delivery subsystem, and an engine starting subsystem.
 13. A method of providing different authorized degrees of access to a plurality of users for a vehicle in a fleet of vehicles, each of the users having a radio transponder coupled to an ignition key for the vehicle's ignition switch, the radio transponder storing data indicative of each user's authorized degree of access to said vehicle, the method comprising: inserting a first ignition key into said ignition switch; transmitting first data to a vehicle control system on the vehicle from a first transponder coupled to the first ignition key; comparing the first transmitted data with data stored in the vehicle control system to determine the first authorized degree of access and to provide the a user with the first authorized degree of access; inserting a second ignition key into the ignition switch at a time different than when the first key is inserted; transmitting second data to the vehicle control system from a second transponder coupled to the second ignition key of the vehicle; comparing the second transmitted data with data stored in the vehicle control system to determine the second authorized degree of access and providing a second user with the second authorized degree of access; wherein the first authorized degree of access and said second authorized degree of access are different and wherein the vehicle control system can be configured simultaneously with the first authorized degree of access and with the different second authorized degree of access.
 14. The method of claim 13, wherein the first and second authorized degrees of access differ by at least one characteristic selected from the group of characteristics including: allowed times and dates of operation, hours during the day when the vehicle may be operated, total time of authorized operation, and vehicle subsystems that the operator is authorized to operate.
 15. The method of claim 14, further comprising the step of controlling access to one or more subsystems selected from the group including the following subsystems: an engine ignition subsystem, an engine fuel supply subsystem, an engine starting subsystem, and an auxiliary hydraulic subsystem, wherein the hydraulic subsystem is configured differently for the first user than for the second user based at least partly upon the different first and second authorized degrees of access.
 16. The method of claim 15, wherein the auxiliary hydraulic subsystem includes an auxiliary hydraulic controller that controls the flow of hydraulic fluid to at least a lift cylinder and a bucket cylinder, and further wherein the vehicle control system permits the first user and the second user to differently operate the cylinders based upon data in at least one of the first and second transponders that is transmitted to the vehicle control system.
 17. The method of claim 16, wherein the first and the second authorized degree of access include conditional limitations that limit the use of a portion of the vehicle if the conditional limitations are exceeded.
 18. The method of claim 17, wherein data indicative of the conditional limitations are downloaded from at least one of the first and second transponders to the vehicle control system and permit the vehicle control system one or more of the following: the number of hours of authorized use, the total distance of authorized travel, the maximum speed of authorized operation, the maximum load on an engine and a geographical area in which the vehicle is authorized to operate. 